This chapter describes the most common installation problems and how to solve them. It also provides some tips on checking patch levels and kernel parameter settings for your system.

Running idsktune
The idsktune utility provides an easy and reliable way of checking the patch levels and kernel parameter settings for your system. You must install the Directory Server before you can run idsktune. idsktune is not available for Windows NT or Windows 2000.

To run idsktune:

Change to the installation directory for your Directory Server.

By default, this directory is /usr/iplanet/servers.

Change to the bin/slapd/server subdirectory.

As root, enter the following command:

# ./idsktune

The following is an example of output that idsktune generates. Note that idsktune does not itself make any changes to the system.

NOTICE : Patch 108875-04 is present, but 108875-07 is a more recent version.

NOTICE : Patch 108652-04 is present, but 108652-13 is a more recent version.

NOTICE : Solaris patches can be obtained from http://sunsolve.sun.com or your
Solaris support representative.

WARNING: The tcp_close_wait_interval is set to 240000 milliseconds (240 seconds).
This value should be reduced to allow for more simultaneous connections to the
server. A line similar to the following should be added to the
/etc/init.d/inetinit file:

ndd -set /dev/tcp tcp_time_wait_interval 30000

NOTICE : The tcp_conn_req_max_q value is currently 128, which will limit the value
of listen backlog which can be configured. It can be raised by adding to
/etc/init.d/inetinit, after any adb command, a line similar to:

ndd -set /dev/tcp tcp_conn_req_max_q 1024

NOTICE : The tcp_keepalive_interval is set to 7200000 milliseconds (120 minutes).
This may cause temporary server congestion from lost client connections.

NOTICE : The tcp_keepalive_interval can be reduced by adding the following line to
/etc/init.d/inetinit:

ndd -set /dev/tcp tcp_keepalive_interval 600000

NOTICE : The NDD tcp_rexmit_interval_initial is currently set to 3000 milliseconds
(3 seconds). This may cause packet loss for clients on Solaris 2.5.1 due to a bug
in that version of Solaris. If the clients are not using Solaris 2.5.1, no
problems should occur.

NOTICE : If the directory is service is intended only for LAN or private
high-speed WAN environment, this interval can be reduced by adding to
/etc/init.d/inetinit:

ndd -set /dev/tcp tcp_rexmit_interval_initial 500

NOTICE : The NDD tcp_smallest_anon_port is currently 32768. This allows a maximum
of 32768 simultaneous connections. More ports can be made available by adding a
line to /etc/init.d/inetinit:

ndd -set /dev/tcp tcp_smallest_anon_port 8192

WARNING: tcp_deferred_ack_interval is currently 100 milliseconds. This will cause
Solaris to insert artificial delays in the LDAP protocol. It should be reduced
during load testing.

This line can be added to the /etc/init.d/inetinit file:

ndd -set /dev/tcp tcp_deferred_ack_interval 5

WARNING: There are only 1024 file descriptors available, which limit the number of
simultaneous connections. Additional file descriptors, up to 65536, are available
by adding to /etc/system a line like set rlim_fd_max=4096

NOTICE : / partition has less space available, 245MB, than the largest allowable
core file size of 460MB. A daemon process which dumps core could cause the root
partition to be filled.

#

Common Installation Problems
Clients cannot locate the server.First, try using the host name. If that does not work, use the fully qualified name (such as www.domain.com), and make sure the server is listed in the DNS. If that does not work, use the IP address.

The port is in use.You probably did not shut down a server before you upgraded it. Shut down the old server, then manually start the upgraded one.

Another installed server might be using the port. Make sure the port you have chosen is not already being used by another server.

LDAP authentication error causes install to fail.If you are installing Directory Server in a network which uses NIS naming rather than DNS naming, you may get the following error:

This error occurs when a machine is not correctly configured to use DNS naming. The default fully qualified host and domain name presented during installation is not correct. If you accept the defaults, you receive the LDAP authentication error.

To successfully install, you need to provide a fully qualified domain name that consists of a local host name along with its domain name. A host name is the logical name assigned to a computer. For example, mycomputer is a host name and siroe.com is a fully qualified domain name.

A fully qualified domain name should be sufficient to determine a unique Internet address for any host on the Internet. The same naming scheme is also used for some hosts that are not on the Internet, but share the same namespace for electronic mail addressing.

I have forgotten the Directory manager DN and password.You can find out what the Directory Manager DN is by examining /usr/iplanet/servers/slapd-server ID/config/dse.ldif and looking for the nsslapd-rootdn attribute.

If you have forgotten the Directory Manager DN password, you can reset it by doing the following:

Find the nsslapd-rootpw attribute in slapd.conf. If the attribute value is not encrypted in any way (that is, it does not start with {SHA} or {CRYPT}) then the password is exactly what is shown on the parameter.

If the attribute is encrypted, then delete the attribute value and replace it with some clear text value. For example, if you change the nsslapd-rootpw attribute so that it is:

nsslapd-rootpw: my_password

then your Directory Manager DN password will be my_password.

Restart your Directory Server.

Once your server has restarted, login as the Directory Manager and change the password. Make sure you select an encryption scheme when you do so.